scap-security-guide/SOURCES/scap-security-guide-0.1.58-rhel8_stig_08_010350-PR_7231.patch
2021-11-02 16:51:38 +00:00

547 lines
30 KiB
Diff

From f7bb6fc32091ad9d10ec8253505086670eb135ba Mon Sep 17 00:00:00 2001
From: Carlos Matos <cmatos@redhat.com>
Date: Mon, 12 Jul 2021 10:06:41 -0400
Subject: [PATCH 1/4] Initial commit for RHEL-08-010350 STIG rule
---
.../ansible/shared.yml | 2 +-
.../bash/shared.sh | 2 +-
.../oval/shared.xml | 44 +++++++++++++------
.../rule.yml | 26 ++++++-----
.../tests/correct_group.pass.sh | 2 +-
.../tests/incorrect_group.fail.sh | 8 +++-
products/rhel8/profiles/stig.profile | 1 +
shared/references/cce-redhat-avail.txt | 1 -
.../data/profile_stability/rhel8/stig.profile | 1 +
.../profile_stability/rhel8/stig_gui.profile | 1 +
10 files changed, 57 insertions(+), 31 deletions(-)
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/ansible/shared.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/ansible/shared.yml
index f90c8e26b15..e0bb6b0dc1a 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/ansible/shared.yml
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = multi_platform_sle
+# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora
# reboot = false
# strategy = restrict
# complexity = high
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/bash/shared.sh
index fba25be6132..d5fb89487d5 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/bash/shared.sh
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_sle
+# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora
find /lib \
/lib64 \
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml
index 00f733ddc78..e3d64a8390e 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml
@@ -1,27 +1,45 @@
<def-group>
- <definition class="compliance" id="root_permissions_syslibrary_files" version="2">
+ <definition class="compliance" id="root_permissions_syslibrary_files" version="1">
{{{ oval_metadata("
- Checks that system-wide library files in /lib, /lib64, /usr/lib, /usr/lib64
- are owned by root.
+ Checks that /lib, /lib64, /usr/lib, /usr/lib64, and
+ objects therein, are group-owned by root.
") }}}
- <criteria >
- <criterion test_ref="test_root_permissions_for_syslibrary_files" />
+ <criteria operator="AND">
+ <criterion test_ref="test_group_ownership_lib_dir" />
+ <criterion test_ref="test_group_ownership_lib_files" />
</criteria>
</definition>
- <unix:file_test check="all" check_existence="none_exist" comment="test if system-wide files have root permissions" id="test_root_permissions_for_syslibrary_files" version="1">
- <unix:object object_ref="root_permissions_for_system_wide_library_files" />
+ <unix:file_test check="all" check_existence="none_exist" comment="library directories gid root" id="test_group_ownership_lib_dir" version="1">
+ <unix:object object_ref="object_group_ownership_lib_dir" />
</unix:file_test>
- <unix:file_object comment="system-wide directories" id="root_permissions_for_system_wide_library_files" version="1">
- <!-- Checks that system-wide library files in /lib, /lib64, /usr/lib, /usr/lib64
- are owned by root. -->
- <unix:path operation="pattern match">^\/lib(64)?|^\/usr\/lib(64)?</unix:path >
+ <unix:file_test check="all" check_existence="none_exist" comment="library files gid root" id="test_group_ownership_lib_files" version="1">
+ <unix:object object_ref="object_group_ownership_lib_files" />
+ </unix:file_test>
+
+ <unix:file_object comment="library directories" id="object_group_ownership_lib_dir" version="1">
+ <!-- Check that /lib, /lib64, /usr/lib, and /usr/lib64 directories belong to group with gid 0 (root) -->
+ <unix:path operation="pattern match">^\/lib(|64)?\/|^\/usr\/lib(|64)?\/</unix:path>
+ <unix:filename xsi:nil="true" />
+ <filter action="include">state_group_ownership_libraries_not_root</filter>
+ <filter action="exclude">group_dir_perms_state_symlink</filter>
+ </unix:file_object>
+
+ <unix:file_object comment="library files" id="object_group_ownership_lib_files" version="1">
+ <!-- Check that files within /lib, /lib64, /usr/lib, and /usr/lib64 directories belong to group with gid 0 (root) -->
+ <unix:path operation="pattern match">^\/lib(|64)?\/|^\/usr\/lib(|64)?\/</unix:path>
<unix:filename operation="pattern match">^.*$</unix:filename>
- <filter action="include">group_permissions_for_system_wide_files_are_not_root</filter>
+ <filter action="include">state_group_ownership_libraries_not_root</filter>
+ <filter action="exclude">group_dir_perms_state_symlink</filter>
</unix:file_object>
- <unix:file_state id="group_permissions_for_system_wide_files_are_not_root" version="1" >
+ <unix:file_state id="state_group_ownership_libraries_not_root" version="1">
<unix:group_id datatype="int" operation="not equal">0</unix:group_id>
</unix:file_state>
+
+ <unix:file_state id="group_dir_perms_state_symlink" version="1">
+ <unix:type operation="equals">symbolic link</unix:type>
+ </unix:file_state>
+
</def-group>
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml
index ff905dd08d..83371b8b9b 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: sle12,sle15
+prodtype: sle12,sle15,rhel8,fedora
title: |-
Verify the system-wide library files in directories
@@ -17,18 +17,18 @@ description: |-
All system-wide shared library files should be protected from unauthorised
access. If any of these files is not owned by root, correct its owner with
the following command:
- <pre>$ sudo chgrp root <i>DIR</i></pre>
+ <pre>$ sudo chgrp root <i>FILE</i></pre>
rationale: |-
- If the operating system were to allow any user to make changes to software libraries,
- then those changes might be implemented without undergoing the appropriate testing and
- approvals that are part of a robust change management process.
+ If the operating system were to allow any user to make changes to software libraries,
+ then those changes might be implemented without undergoing the appropriate testing and
+ approvals that are part of a robust change management process.
- This requirement applies to operating systems with software libraries that are
- accessible and configurable, as in the case of interpreted languages. Software libraries
- also include privileged programs which execute with escalated privileges. Only qualified
- and authorized individuals must be allowed to obtain access to information system components
- for purposes of initiating changes, including upgrades and modifications.
+ This requirement applies to operating systems with software libraries that are
+ accessible and configurable, as in the case of interpreted languages. Software libraries
+ also include privileged programs which execute with escalated privileges. Only qualified
+ and authorized individuals must be allowed to obtain access to information system components
+ for purposes of initiating changes, including upgrades and modifications.
severity: medium
@@ -45,7 +45,7 @@ references:
stigid@sle12: SLES-12-010875
stigid@sle15: SLES-15-010355
-ocil_clause: 'any system wide library directory is returned'
+ocil_clause: 'system wide library files are not group owned by root'
ocil: |-
System-wide library files are stored in the following directories:
@@ -54,6 +54,6 @@ ocil: |-
/usr/lib
/usr/lib64
</pre>
- To find if system-wide library files stored in these directories are group-owned by
+ To find if system-wide library files stored in these directories are not group-owned by
root run the following command for each directory <i>DIR</i>:
<pre>$ sudo find -L <i>DIR</i> ! -group root -type f </pre>
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh
index 7a8e65b4f3a..8722c2add65 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh
@@ -4,6 +4,6 @@ for SYSLIBDIRS in /lib /lib64 /usr/lib /usr/lib64
do
if [[ -d $SYSLIBDIRS ]]
then
- find $SYSLIBDIRS ! -group root -type f -exec chgrp root '{}' \;
+ find $SYSLIBDIRS ! -group root -exec chgrp root '{}' \;
fi
done
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh
index a4b99a9da14..1079046d14e 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh
@@ -1,6 +1,10 @@
#!/bin/bash
-
-for TESTFILE in /lib/test_me /lib64/test_me /usr/lib/test_me /usr/lib64/test_me
+
+# There is a high probability that there will be nested subdirectories within the
+# shared system library directories, therefore we should test to make sure we
+# cover this. - cmm
+test -d /usr/lib/test_dir || mkdir -p /usr/lib/test_dir && chown nobody.nobody /usr/lib/test_dir
+for TESTFILE in /lib/test_me /lib64/test_me /usr/lib/test_me /usr/lib64/test_me /usr/lib/test_dir/test_me
do
if [[ ! -f $TESTFILE ]]
then
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index 2508008d511..9569b2ad629 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -207,6 +207,7 @@ selections:
- file_ownership_library_dirs
# RHEL-08-010350
+ - root_permissions_syslibrary_files
# RHEL-08-010360
- package_aide_installed
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index f139d2ed76f..e0eb5ac045c 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -662,7 +662,6 @@ CCE-86518-8
CCE-86520-4
CCE-86521-2
CCE-86522-0
-CCE-86523-8
CCE-86524-6
CCE-86525-3
CCE-86526-1
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index 765487c6f16..ebe7a91f45d 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -221,6 +221,7 @@ selections:
- postfix_client_configure_mail_alias
- require_emergency_target_auth
- require_singleuser_auth
+- root_permissions_syslibrary_files
- rsyslog_cron_logging
- rsyslog_remote_access_monitoring
- rsyslog_remote_loghost
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
index 9fd80aac727..97f940dc9ed 100644
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
@@ -232,6 +232,7 @@ selections:
- postfix_client_configure_mail_alias
- require_emergency_target_auth
- require_singleuser_auth
+- root_permissions_syslibrary_files
- rsyslog_cron_logging
- rsyslog_remote_access_monitoring
- rsyslog_remote_loghost
From f16c085894e4dc7974637d44bf226d3acf19f3d1 Mon Sep 17 00:00:00 2001
From: Carlos Matos <cmatos@redhat.com>
Date: Mon, 12 Jul 2021 16:17:23 -0400
Subject: [PATCH 2/4] Updated existing rules for syslibrary files/dirs
---
.../ansible/shared.yml | 6 ++-
.../bash/shared.sh | 7 +++
.../dir_group_ownership_library_dirs/rule.yml | 4 ++
.../tests/all_dirs_ok.pass.sh | 3 +-
.../nobody_group_owned_dir_on_lib.fail.sh | 3 +-
.../ansible/shared.yml | 23 ++++++++--
.../oval/shared.xml | 44 ++++++-------------
.../tests/correct_group.pass.sh | 4 +-
.../tests/incorrect_group.fail.sh | 8 +---
products/rhel8/profiles/stig.profile | 1 +
shared/references/cce-redhat-avail.txt | 1 -
.../data/profile_stability/rhel8/stig.profile | 1 +
.../profile_stability/rhel8/stig_gui.profile | 1 +
13 files changed, 59 insertions(+), 47 deletions(-)
create mode 100644 linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/bash/shared.sh
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/ansible/shared.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/ansible/shared.yml
index 80562991ac5..f6f2ab48afd 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/ansible/shared.yml
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = multi_platform_sle
+# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora
# reboot = false
# strategy = restrict
# complexity = medium
@@ -20,4 +20,6 @@
state: "directory"
mode: "{{ item.mode }}"
with_items: "{{ library_dirs_not_group_owned_by_root.files }}"
- when: library_dirs_not_group_owned_by_root.matched > 0
+ when:
+ - library_dirs_not_group_owned_by_root.matched > 0
+ - item.gid != 0
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/bash/shared.sh
new file mode 100644
index 00000000000..365b9833188
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/bash/shared.sh
@@ -0,0 +1,7 @@
+# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora
+
+find /lib \
+/lib64 \
+/usr/lib \
+/usr/lib64 \
+\! -group root -type d -exec chgrp root '{}' \;
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml
index 4ff043270c8..cd02d95cb1c 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml
@@ -1,5 +1,7 @@
documentation_complete: true
+prodtype: sle12,sle15,rhel8,fedora
+
title: 'Verify that Shared Library Directories Have Root Group Ownership'
description: |-
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/all_dirs_ok.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/all_dirs_ok.pass.sh
index 2a38e9a88bc..50fdb17bd2e 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/all_dirs_ok.pass.sh
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/all_dirs_ok.pass.sh
@@ -1,4 +1,5 @@
-# platform = multi_platform_sle
+# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora
+
DIRS="/lib /lib64 /usr/lib /usr/lib64"
for dirPath in $DIRS; do
find "$dirPath" -type d -exec chgrp root '{}' \;
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh
index f794d9e878f..277bd7d60de 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh
@@ -1,4 +1,5 @@
-# platform = multi_platform_sle
+# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora
+
DIRS="/lib /lib64"
for dirPath in $DIRS; do
mkdir -p "$dirPath/testme" && chown root:nogroup "$dirPath/testme"
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/ansible/shared.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/ansible/shared.yml
index e0bb6b0dc1a..ab3e85c4f7c 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/ansible/shared.yml
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/ansible/shared.yml
@@ -4,7 +4,24 @@
# complexity = high
# disruption = medium
-- name: "Set ownership to root of system-wide library files"
- command: "find {{ item }} ! -group root -type f -exec chgrp root '{}' \\;"
- with_items: [ '/lib', '/lib64', '/usr/lib', '/usr/lib64' ]
+- name: "Read list libraries without root ownership"
+ find:
+ paths:
+ - "/usr/lib"
+ - "/usr/lib64"
+ - "/lib"
+ - "/lib64"
+ file_type: "file"
+ register: library_files_not_group_owned_by_root
+
+- name: "Set group ownership of system library files to root"
+ file:
+ path: "{{ item.path }}"
+ group: "root"
+ state: "file"
+ mode: "{{ item.mode }}"
+ with_items: "{{ library_files_not_group_owned_by_root.files }}"
+ when:
+ - library_files_not_group_owned_by_root.matched > 0
+ - item.gid != 0
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml
index e3d64a8390e..926ff70d1e4 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml
@@ -1,45 +1,27 @@
<def-group>
- <definition class="compliance" id="root_permissions_syslibrary_files" version="1">
+ <definition class="compliance" id="root_permissions_syslibrary_files" version="2">
{{{ oval_metadata("
- Checks that /lib, /lib64, /usr/lib, /usr/lib64, and
- objects therein, are group-owned by root.
+ Checks that system-wide library files in /lib, /lib64, /usr/lib, /usr/lib64
+ are owned by root.
") }}}
- <criteria operator="AND">
- <criterion test_ref="test_group_ownership_lib_dir" />
- <criterion test_ref="test_group_ownership_lib_files" />
+ <criteria >
+ <criterion test_ref="test_root_permissions_for_syslibrary_files" />
</criteria>
</definition>
- <unix:file_test check="all" check_existence="none_exist" comment="library directories gid root" id="test_group_ownership_lib_dir" version="1">
- <unix:object object_ref="object_group_ownership_lib_dir" />
+ <unix:file_test check="all" check_existence="none_exist" comment="test if system-wide files have root permissions" id="test_root_permissions_for_syslibrary_files" version="1">
+ <unix:object object_ref="root_permissions_for_system_wide_library_files" />
</unix:file_test>
- <unix:file_test check="all" check_existence="none_exist" comment="library files gid root" id="test_group_ownership_lib_files" version="1">
- <unix:object object_ref="object_group_ownership_lib_files" />
- </unix:file_test>
-
- <unix:file_object comment="library directories" id="object_group_ownership_lib_dir" version="1">
- <!-- Check that /lib, /lib64, /usr/lib, and /usr/lib64 directories belong to group with gid 0 (root) -->
- <unix:path operation="pattern match">^\/lib(|64)?\/|^\/usr\/lib(|64)?\/</unix:path>
- <unix:filename xsi:nil="true" />
- <filter action="include">state_group_ownership_libraries_not_root</filter>
- <filter action="exclude">group_dir_perms_state_symlink</filter>
- </unix:file_object>
-
- <unix:file_object comment="library files" id="object_group_ownership_lib_files" version="1">
- <!-- Check that files within /lib, /lib64, /usr/lib, and /usr/lib64 directories belong to group with gid 0 (root) -->
- <unix:path operation="pattern match">^\/lib(|64)?\/|^\/usr\/lib(|64)?\/</unix:path>
+ <unix:file_object comment="system-wide directories" id="root_permissions_for_system_wide_library_files" version="1">
+ <!-- Checks that system-wide library files in /lib, /lib64, /usr/lib, /usr/lib64
+ are owned by root. -->
+ <unix:path operation="pattern match">^\/lib\/|^\/lib64\/|^\/usr\/lib\/|^\/usr\/lib64\/</unix:path>
<unix:filename operation="pattern match">^.*$</unix:filename>
- <filter action="include">state_group_ownership_libraries_not_root</filter>
- <filter action="exclude">group_dir_perms_state_symlink</filter>
+ <filter action="include">group_permissions_for_system_wide_files_are_not_root</filter>
</unix:file_object>
- <unix:file_state id="state_group_ownership_libraries_not_root" version="1">
+ <unix:file_state id="group_permissions_for_system_wide_files_are_not_root" version="1" >
<unix:group_id datatype="int" operation="not equal">0</unix:group_id>
</unix:file_state>
-
- <unix:file_state id="group_dir_perms_state_symlink" version="1">
- <unix:type operation="equals">symbolic link</unix:type>
- </unix:file_state>
-
</def-group>
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh
index 8722c2add65..a4ae2854db1 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh
@@ -1,9 +1,9 @@
-#!/bin/bash
+# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora
for SYSLIBDIRS in /lib /lib64 /usr/lib /usr/lib64
do
if [[ -d $SYSLIBDIRS ]]
then
- find $SYSLIBDIRS ! -group root -exec chgrp root '{}' \;
+ find $SYSLIBDIRS ! -group root -type f -exec chgrp root '{}' \;
fi
done
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh
index 1079046d14e..c96f65b989c 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh
@@ -1,10 +1,6 @@
-#!/bin/bash
+# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora
-# There is a high probability that there will be nested subdirectories within the
-# shared system library directories, therefore we should test to make sure we
-# cover this. - cmm
-test -d /usr/lib/test_dir || mkdir -p /usr/lib/test_dir && chown nobody.nobody /usr/lib/test_dir
-for TESTFILE in /lib/test_me /lib64/test_me /usr/lib/test_me /usr/lib64/test_me /usr/lib/test_dir/test_me
+for TESTFILE in /lib/test_me /lib64/test_me /usr/lib/test_me /usr/lib64/test_me
do
if [[ ! -f $TESTFILE ]]
then
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index 9569b2ad629..059750f59d0 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -208,6 +208,7 @@ selections:
# RHEL-08-010350
- root_permissions_syslibrary_files
+ - dir_group_ownership_library_dirs
# RHEL-08-010360
- package_aide_installed
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index e0eb5ac045c..ae3375fd4d4 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -34,7 +34,6 @@ CCE-85890-2
CCE-85891-0
CCE-85892-8
CCE-85893-6
-CCE-85894-4
CCE-85895-1
CCE-85896-9
CCE-85897-7
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index ebe7a91f45d..49cce4d81cc 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -99,6 +99,7 @@ selections:
- dconf_gnome_login_banner_text
- dconf_gnome_screensaver_idle_delay
- dconf_gnome_screensaver_lock_enabled
+- dir_group_ownership_library_dirs
- dir_perms_world_writable_root_owned
- dir_perms_world_writable_sticky_bits
- directory_permissions_var_log_audit
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
index 97f940dc9ed..943a57d3eb8 100644
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
@@ -110,6 +110,7 @@ selections:
- dconf_gnome_login_banner_text
- dconf_gnome_screensaver_idle_delay
- dconf_gnome_screensaver_lock_enabled
+- dir_group_ownership_library_dirs
- dir_perms_world_writable_root_owned
- dir_perms_world_writable_sticky_bits
- directory_permissions_var_log_audit
From 71deac482753a13a9f98d6d7382b13e9031a2ce4 Mon Sep 17 00:00:00 2001
From: Carlos Matos <cmatos@redhat.com>
Date: Tue, 13 Jul 2021 13:40:25 -0400
Subject: [PATCH 3/4] Updated test for nobody_group_owned_dir rule
---
.../tests/nobody_group_owned_dir_on_lib.fail.sh | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh
index 277bd7d60de..043ad6b2dee 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh
@@ -1,6 +1,6 @@
# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora
-DIRS="/lib /lib64"
+DIRS="/lib /lib64 /usr/lib /usr/lib64"
for dirPath in $DIRS; do
- mkdir -p "$dirPath/testme" && chown root:nogroup "$dirPath/testme"
+ mkdir -p "$dirPath/testme" && chgrp nobody "$dirPath/testme"
done
From 087359679e4f6794054b6772df6c84c4cd1fee94 Mon Sep 17 00:00:00 2001
From: Carlos Matos <cmatos@redhat.com>
Date: Wed, 14 Jul 2021 10:04:25 -0400
Subject: [PATCH 4/4] Added recommended $ to end of regex pattern to properly
match dirs
---
.../root_permissions_syslibrary_files/oval/shared.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml
index 926ff70d1e4..f5ca9380b55 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml
@@ -16,7 +16,7 @@
<unix:file_object comment="system-wide directories" id="root_permissions_for_system_wide_library_files" version="1">
<!-- Checks that system-wide library files in /lib, /lib64, /usr/lib, /usr/lib64
are owned by root. -->
- <unix:path operation="pattern match">^\/lib\/|^\/lib64\/|^\/usr\/lib\/|^\/usr\/lib64\/</unix:path>
+ <unix:path operation="pattern match">^\/lib(|64)?$|^\/usr\/lib(|64)?$</unix:path>
<unix:filename operation="pattern match">^.*$</unix:filename>
<filter action="include">group_permissions_for_system_wide_files_are_not_root</filter>
</unix:file_object>